This research seeks to shed light on the rising suspicious activity on GitHub linked to the “Wagemole campaign,” associated with North Korean IT worker operations. It uncovers emerging behavior patterns, engagement strategies, instances of coordinated activity, and the formation of new clusters of fresh empty accounts in GitHub. Additionally, it explores interactions with Web3 projects, suspicious interview practices, and cases where these accounts have successfully operated under the radar.
Our recent investigations have revealed that these accounts not only display specific patterns in their followers and the accounts they follow but also share notable similarities in key aspects such as creation dates, declared skills, similar profile images, comparable bios, and analogous GitHub handles, among other traits.
Our previous investigations uncovered much of the activity associated with the “Wagemole” campaigns, specifically on GitHub:
In our previous work, we focused on identifying the characteristics of these accounts through behavioral analysis, image analysis, follower and following patterns, repository similarities, and other factors that highlight shared traits among certain accounts. This investigation will build on that foundation by analyzing the activity of many of the accounts we identified in earlier research.
Contagious Interview and WageMole campaigns
By late 2023, Palo Alto had outlined the distinctions between these two campaigns. The first, known as “Contagious Interview,” involves threat actors posing as employers — often anonymously or with vague identities — to trick software developers into installing malware during the interview process, enabling various forms of theft. This campaign is attributed with moderate confidence to a North Korean state-sponsored threat actor.
The second campaign, known as “Wagemole,” involves North Korean IT workers masquerading as job seekers to secure unauthorized employment with organizations in the United States and other countries, likely for financial gain or espionage purposes.
In late 2024, Zscaler ThreatLabz reported that North Korean IT workers were using the WageMole campaign to secure remote jobs in other countries. This campaign, closely linked to the Contagious Interview operation, relies on a combination of social engineering and technical skills to obtain legitimate remote job opportunities and generate income through development work
“WageMole” campaign on GitHub
In our previous investigations focused on GitHub, we observed the same shift in suspicious activities described by Zscaler ThreatLabz and Palo Alto, ranging from fake recruiters (Contagious Interview) to job seekers (WageMole campaing).
Some of our findings regarding a LinkedIn profile, later cited by Palo Alto, suggest that the profile we identified was later analyzed by their team, which reported it was associated with the Democratic People’s Republic of Korea (DPRK), and leveraging social engineering as a fake recruiter to deploy new variants of BeaverTail and InvisibleFerret malware. By tracing this same profile on GitHub, we uncovered a large cluster of fake developer accounts linked to the previously described WageMole campaign.
Similarly, many of our findings on GitHub align with recent descriptions by Zscaler ThreatLabz regarding the activity of the threat actor in the WageMole campaign. Specifically, “During the job search, WageMole threat actors aggressively utilize job-seeking platforms such as Indeed, Glassdoor, Upwork, and cryptocurrency-focused sites like degencryptojobs.com and web3.career. Throughout the job-hunting process, they target remote roles such as front-end/back-end web developer, UX/UI designer, full-stack engineer, and blockchain developer.”
Additionally, considering that our focus has been on suspicious activity within GitHub, previous investigations have revealed distinct patterns and characteristics in GitHub accounts. For instance, many of the accounts identified in this investigation share specific traits: similar profile images, statuses like “working from home,” GitHub handles with recurring themes (e.g., Super, Dev, Happy, Smart, Top, Funny, King, Golden), closely aligned account creation dates, and mutual following patterns. These similarities suggest the presence of an interconnected network
These previous investigations aimed to identify and analyze the presence and behavior of the threat actor on GitHub related to the WageMole campaign. Based on these previous findings, the focus of this investigation is to examine the activities of these suspicious accounts on GitHub through specific examples and case studies
Over the past year, there has been a noticeable increase in suspicious activity across various social media platforms and sites like GitHub. This phenomenon has revealed a complex network of fake accounts designed to appear as “developers.” A significant portion of these accounts targets content and audiences within the Web3 sector.
Recently, it has been identified that these fake accounts on GitHub attempt to gain trust by collaborating on projects, often highlighting the title of “open source contributor” in their descriptions or bios. This, along with other behaviors, reflects strategies of adaptation and stealth, enabling them to integrate more subtly (through commits) and remain unnoticed. By establishing a history of collaboration on GitHub, they seek to strengthen their presence and, in some cases, even attempt to secure employment, all while posing potential future risks to the projects they infiltrate.
There are distinct behavior patterns among these “fake dev” accounts in how they engage and interact with organizations on GitHub. A behavior previously outlined in the research tittle: “Reviewing the activity of GitHub accounts associated with Lazarus” reveals that many of these accounts, which also follow each other, have joined these organizations.
This behavior, aimed at generating “credibility” for these GitHub accounts by joining organizations, has been observed on a broader scale. Additionally, there are patterns such as newly created accounts, with profiles specifically seeking to join these particular organizations.
Below, we will present some examples of how these accounts join these organizations.
While there are legitimate accounts within these organizations, there is a set of accounts associated with a network of fake developers who exploit these associations to boost their profiles. The organizations mentioned in the previous image are:
Organizations referenced:
https://github.com/dev-protocol
https://github.com/Design-and-Code
https://github.com/Huniko-Team
https://github.com/Magic-Academy
https://github.com/App-Choreography
https://github.com/Devs-Dungeon
https://github.com/infraform
https://github.com/AccessibleForAll
https://github.com/CommunityPro
https://github.com/Bauddhik-Geeks
https://github.com/Your-brainstorming
https://github.com/EddieHubCommunity
https://github.com/Py-Contributors
https://github.com/chesslablab
While many accounts on GitHub engage in this type of activity, some are legitimate, while others are linked to the “fake developers” network.
This particular behavior of systematically joining organizations after creating a GitHub account is a notable pattern that has recently been observed in many accounts conducting social engineering on GitHub. Their goal is to cultivate a “trustworthy” image, allowing them to blend into the community more seamlessly.
As mentioned earlier, it is important to note that these “organizations” also include legitimate GitHub accounts, particularly from India and Pakistan, who use these connections to enhance their personal profiles.
However, it is evident that accounts linked to this network of fake developers have also adopted this method to increase their credibility on GitHub. Below, we examine the accounts attempting to join this organization [CommunityPro]
On one hand, there is a significant number of legitimate accounts that use this method, sometimes excessively, by joining over 20 organizations; these cases are typically associated with real individuals. On the other hand, there is a group of accounts attempting to mimic these behaviors in order to gain greater credibility.
Some examples of suspicious accounts are as follows:
Example 1:
In this case, we have an account with a person claiming 8 years of experience but with only 1 month of activity. The account features a website registered on January 4, 2025, with all links broken, an AI-generated profile image, and recently, we’ve noticed some “developers” listing Japan as their location.
After checking some repositories from this account, we came to look the people who like the repository named motokimasuo:
In this list of accounts we are going to check the activity of: ShinySyntax
This profile, in particular, shows inconsistencies by using different identities, which are further highlighted by broken links.
It’s interesting because the interaction and eagerness to get hired seem overly conspicuous, as seen here:
On the other hand, there are inconsistencies in the profile that suggest the use of multiple identities to secure a job. This appears to be the website associated with the individual, using the name Muhammad Abdul Sammad, despite their Asian features
Similarly, within their personal information, there is a link to a Telegram account:
This Telegram handle using this profile: sasuke310 — https://t.me/sasuke310
This Telegram directs to a profile called James Kano
The accounts associated with this website are also linked to another account on GitHub:
They also use another website in addition to sasuke.dev. The name of this website is spomoe.xyz, and it was created on April 15, 2024.
The Telegram account use both names: spmoed and sasuke:
Example 2:
Another example that highlights the existence of a network of GitHub accounts joining specific organizations and making commits across various projects to build credibility is as follows:
In this case, we will analyze the profile: https://github.com/kallis312
Similarly, they join organizations similar to those mentioned earlier:
In the following post, we can see that they engage in the same type of interaction with these organizations, and continue to do so:
Upon searching for “yamataku0518” on GitHub, we found several accounts that have interacted with this GitHub handle:
Similarly, there is a forked version on another profile, suggesting that the GitHub handle may have changed
This account also shares commits with other accounts we have previously monitored, which exhibit certain characteristics (such as profile images, GitHub handles) and behaviors (like follower patterns).
Another case linked to the “kallis312” profile involves the following, where this account shared contributions in April 2024 with the following account:
The account mentioned is: xtoben22
Previously, this account used the GitHub handle “Universal9622,” and the email associated with the account is williamduncan91413@gmail.com
By searching for the GitHub handle “Universal9622,” we found the same handle listed on a job platform for individuals in China, which is also shared on Telegram.
In this channel, there is a user using the same name, William Duncan, and writing in Chinese:
Considering the scattered information, the change in the GitHub handle, and the suspicion that this may be an Asian individual using a very Latino name, this case also serves as an example of inconsistency and incoherent information in GitHub accounts attempting to collaborate on projects.
Example 3:
Similar examples of an account using this “interaction” to boost his profile is the user BitFancy:
Likewise, his profile have 1 year of activity and some irregular activity in some repositories, broken links and LinkedIn profile with no activity.
After reviewing several repositories from the user “bitfancy,” one repository stood out to us: “fancydeveloper.” This repository caught our attention because it utilized the user’s stats. However, it appears the GitHub account associated with it has since changed its handle:
The stats in this profile was linked to the GitHub account: “charles0830”
The account that was using this GitHub handle was:
This type of account, with its personal description, use of images similar to those identified in previous investigations, a high number of followers and followings, and unusual methods of trying to be “hired,” stands out.
In the following interaction, it is evident that their previous GitHub handle was “charles0830,” and they were subsequently rejected:
Another quite unusual interaction is the following, where they claim to be a “senior full-stack developer” and state that they’ve been using GitHub for 13 years:
Similarly, another incident linked to the GitHub handle “charles0830” highlights evidence of coordination and organization:
This other account uses the same stats as the account that previously used the GitHub handle “charles0830.” Therefore, there is a high likelihood that the activity of these accounts is linked to this network of fake developers on GitHub, which is commonly associated with the activities of DPRK IT workers.
In this case, the account stopped using the GitHub handle “charles0830” and has now adopted the following under a new identity: “Phoenix-Genius”
We can also observe that they claim to be a “Senior Software Developer” and use specific images that we’ve identified in numerous accounts attempting to gain credibility or secure employment by “collaborating” on GitHub projects.
Example 4
In this example, it occurs the same as the account wants to join certain organizations. However the information they introduce seems fake
In this case it is a new account and the person is stablished in Ukraine:
Upon reviewing the website mentioned on GitHub: https://portfolio-vue-1b44e.web.app/
All the links are broken, and the information on this website appears to be false.
Additionally, conducting some Google searches yields specific results, revealing suspicious links and additional information that doesn’t align with the details provided
Example 5:
Some of the mentioned profiles follow each other, forming a network of accounts that share common traits, such as being labeled “Blockchain,” “Full Stack,” etc. These accounts also contain multiple identities within their repositories, along with evidence of false data. Additionally, some of these accounts follow an organization called “stability DAO”.
Some of the mentioned profiles follow each other, forming a network of accounts that share common labels like “Blockchain,” “Full Stack,” etc. These accounts also feature multiple identities within their repositories, as well as evidence of false data.
Additionally, there are other noteworthy accounts we’ve previously mentioned, such as the account “OnlyForward0613”
The profile account is “OnlyForward613” , its called“Davee” and according to his Bio is a “Senior software Engineering”.
Another recurring pattern is the intent to join specific groups we’ve previously mentioned:
This GitHub account uses two different Twitter accounts, both with similar identities
Through the Twitter account, they share their website and portfolio:
Additionally, their LinkedIn profile does not exist; however, they share a Facebook profile, where, like the other images, the photos appear to be manipulated:
A notable aspect is that three different accounts, with close connections in terms of mutual follows, use the same stats as OnlyForward0613 on their profiles. Coincidentally, these accounts align with our descriptions and are labeled as “blockchain developers.” One example is the account with the GitHub handle “devstar829”:
Similar to this profile, there is also the account: unitop010
Lastly, this profile also uses the same stats: solidityDev05
This type of inconsistent activity, interconnected between these accounts, demonstrates clear coordination and patterns in how they interact with organizations on GitHub.
Evidence shows that there is interaction between these accounts, along with patterns of engagement with organizations. Moreover, these accounts often employ fake identities and use information from other accounts in their own profiles.
These accounts, with their anomalous behavior and the way they engage with organizations, exhibit collective and organized conduct with clear objectives — specifically, to secure job opportunities or collaborate on projects, thereby boosting their credibility on GitHub.
Based on the information provided earlier, several suspicious accounts have been observed commenting on the repositories of these organizations. Notably, there is a high volume of accounts interacting with these repositories, with a considerable portion of them appearing to be legitimate as well:
GitHub accounts suspicious - organizations- https://github.com/CommunityPro/support/issues?page=1&q=is%3Aissue+is%3Aclosed
- https://github.com/Py-Contributors/support/issues?page=1&q=is%3Aissue+is%3Aclosed
- https://github.com/EddieHubCommunity/support/issues?page=1&q=is%3Aissue+is%3Aclosed
- https://github.com/Design-and-Code/support/issues?q=is%3Aissue+is%3Aclosed
An example of suspicious GitHub accounts interacting with these organizations is as follows:
Data set of Accountshttps://github.com/asseph
https://github.com/thuongtruong1009
https://github.com/Benjamin-cup
https://github.com/Cardoso-topdev
https://github.com/camillakathy
https://github.com/erikerik116
https://github.com/Kavorix
https://github.com/Phoenix-Genius
https://github.com/phoenix19950512
https://github.com/smilephoenix103
https://github.com/toptalhook
https://github.com/uniwaydev
https://github.com/creative2113
https://github.com/SacredDever
https://github.com/SacredDevKing
https://github.com/GoldenDev176743
https://github.com/dragonsea0927
https://github.com/felipedev418
https://github.com/techietrend
https://github.com/popstar7
https://github.com/Oyase-shinob
https://github.com/dev0614
- Bigger data set is private -
Many of these accounts exhibit the same type of association, interacting similarly with organizations. Their accounts share specific patterns, such as similar bios and GitHub handles. Additionally, there are traces of these accounts using different identities. These and other characteristic aspects, such as their patterns of interaction and connections with these same accounts, provide evidence of an organized effort and objectives from this network of fake profiles on GitHub.
These suspicious GitHub accounts also exhibit collective activity across other organizations and communities by making commits in these repositories.
Many of these accounts performing these commits had been previously identified. The commits made by these accounts appear to overwrite or remove the contributions made by other accounts:
Many of these accounts had already been reported in this and previous investigations. It’s important to highlight the accounts in this image that use these specific images:
Previous investigations have already highlighted the association between accounts that tend to use similar GitHub handles and profile images, often linked to users identifying as “full stack developers” seeking freelance opportunities.
A similar example can be seen in the following repository, where a group of accounts with matching characteristics make these commits.
In the previous example, we can highlight a profile similar to the one we presented, where an account already referenced uses the same type of image:
In this case, the profile uses the GitHub handle “OceanDev89,” displaying the same image as “fairskyDev0201.”
Other examples of this type of activity are listed below:
Repositories with suspicious activity- https://github.com/typescript-cheatsheets/react/issues/57
- https://github.com/typescript-cheatsheets/react/issues/190
- https://github.com/typescript-cheatsheets/react/issues/167
- https://github.com/typescript-cheatsheets/react/issues/12
- https://github.com/mckaywrigley/chatbot-ui/issues/224
- https://github.com/orgs/community/discussions/69532
- https://github.com/typescript-cheatsheets/react/issues/87
- https://github.com/typescript-cheatsheets/react/issues/63
- https://github.com/unicodeveloper/awesome-nextjs/issues/179
Similarly, it’s worth noting that in these repositories, there are accounts that seem to be linked to this suspicious activity. (It’s possible that they are trying to build history and credibility by commenting on these older posts).
Below are some accounts that are active in these repositories and which we consider suspicious:
Suspicious accounts commiting in these repositorieshttps://github.com/ericbrown2716
https://github.com/peterjohnson4987
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/coopfeathy
https://github.com/holyblock
https://github.com/cedev935
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/bernssolg
https://github.com/erinodev
https://github.com/supercrytoking
https://github.com/johnfrench3
https://github.com/dreamcoder75
https://github.com/TechSolutionNinja
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/chivalrousdev
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/renawolford6
https://github.com/coopfeathy
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/hussammousa68
https://github.com/zeus-soft-world
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/peterjohnson4987
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/renawolford6
https://github.com/coopfeathy
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/xbucks
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/hussammousa68
https://github.com/zeus-soft-world
https://github.com/chivalrousdev
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/renawolford6
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/xbucks
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/chivalrousdev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/mirdavion
https://github.com/codingzeus1218999
https://github.com/joyfulmagician
https://github.com/sphinxDevVic
https://github.com/SmartDev555
https://github.com/crypto-artisan
https://github.com/Watcher919
These accounts, which engage in this type of activity combined with joining certain organizations, share characteristics that we’ve previously identified. Additionally, many of these accounts follow each other, raising further suspicion about the intentionality behind this artificial activity on these GitHub profiles, which are typically associated with developers focused on Blockchain, Full Stack, and Web3.
An important aspect to note regarding the accounts displaying this type of activity is that some appear to be stolen, as they retain the data and information of the previous user. Others use fake identities with accounts less than two years old, while some accounts show a much older creation history.
It has recently been observed that the use of these older accounts has expanded within this network of fake “developers,” as they appear to generate more credibility and trust.
Upon reviewing the activity of these accounts, we found one account (https://github.com/Sayonara01) with 13k followers, which is particularly notable as it follows a large number of similar accounts — either empty or with little activity — and its only follower is the mentioned account (Sayonara) a “Full stack Dev”:
This makes the account a point of interest, as it hosts a large number of these “farmed” accounts.
Below are several accounts (followed by Sayonara) that indicate they are part of a network. It is important to note that these accounts have greater age, limited activity, and are relatively new to be in use:
As evidenced, the only profile following all these suspicious accounts is Sayonara01. Below is a sample of the accounts followed by Sayonara, which also meet the characteristics of having little to no activity, being quite old, and being followed by Sayonara01:
Given that Sayonara follows approximately 13k accounts, the volume of these types of accounts is quite high. Here is a small sample of these accounts that are used for various suspicious activities:
e.g Accounts farmed by suspicious profilehttps://github.com/operkins
https://github.com/KimBrown
https://github.com/JenniferYoung
https://github.com/christian48
https://github.com/keith16
https://github.com/Clarkwendy
https://github.com/sandovalandrew
https://github.com/coreygonzales
https://github.com/christian48
https://github.com/kwells
https://github.com/Brian35
https://github.com/Gavin50
https://github.com/jay39
https://github.com/christiancampos
https://github.com/JesusMorgan
https://github.com/dnichols
https://github.com/mirandacraig
https://github.com/Kristen36
https://github.com/lmorris
https://github.com/michaelascott
https://github.com/Annette71
https://github.com/bonnie77
https://github.com/Leonard48
https://github.com/elizabethwagner
https://github.com/samanthabailey
https://github.com/Colleen41
https://github.com/brian91
https://github.com/brianroberts
https://github.com/james10
https://github.com/groberts
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/jessicasmall
https://github.com/Tiffany90
https://github.com/gabriel56
https://github.com/NicholasWarner
https://github.com/Christina70
https://github.com/vanessa56
https://github.com/hyang
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/Carl92
https://github.com/randysnyder
https://github.com/thomasparker
https://github.com/ashleykelsey
https://github.com/KaneGregory
https://github.com/SIMONDAVID
https://github.com/lreyes
https://github.com/eric39
https://github.com/vhenry
https://github.com/Mark33
Based on this list and analyzing some profiles, we have observed that they aim to build credibility and association by attempting to make commits in Web3-related projects and repositories.
We have also seen that this account (sayonara) following the activity of other important GitHub accounts related to web3 projects.
By analyzing different account clusters, we’ve identified certain accounts that are more actively attempting to collaborate or make PRs/commits in projects, primarily within the Web3 industry.
Below, we’ll provide evidence of accounts that exhibit visual characteristics similar to those previously mentioned. These accounts tend to follow one another, often with just one or two intermediary connections. In many cases, they can be traced through their followers, following lists, stars, or even the commits they share across their repositories.
Here are some examples of these accounts interacting with various projects, most of which are within the Web3 industry:
Example 1:
In this case, the profile “dev0614” has certain characteristics in its GitHub handle, as well as in the description of its bio:
This account attempts to make a PR in the following repository but receives a negative response from the repository owner, as the account does not belong to the company:
Example 2:
The account Oyase-shinobi also exhibits similar behavior by attempting to actively participate in projects
This account shows more activity; in this case, it interacts with LiraDAO:
Another example of this unusual “hungry-job” behavior is as follows, directed towards Juno Build
Example 3:
Another example that highlights the intent of these accounts to gain access and collaborate on these projects is the activity of the account kentaurse
This account attempts to interact with darwinia-network
In addition, we have observed how some accounts have focused their efforts on various projects, which has led to the creation of clusters of suspicious accounts attempting to interact with certain repositories.s.
This chapter is reserved due to requests from individuals who wish to keep their names and company details confidential. However, for research and intelligence purposes, it is important to share the modus operandi of these profiles and how they are managing to gain access to various projects.
The following will present specific cases that highlight activity related to the DPRK IT Workers “WagMole” campaign on GitHub and how these actors are successfully infiltrating and securing roles with Web3 companies:
Case 1: Suspicious accounts interacting with developer
Target: Developer — https://www.linkedin.com/in/tupui/
Upon reviewing the activity of the account mentioned in the previous case, which uses the GitHub handle “kindsecret,” we found another account interacting with it. As evidenced in this repository, the account “0xexp-po” attempts to merge the pull request from “kindsecret”.
This account, which attempts to merge the pull request from “kindsecret,” is:
This profile also displays what we have previously identified as “hungry job behavior,” showing an overwhelming intention to work and collaborate on other projects. Some examples of this behavior are outlined here.
This profile attempts to interact with Luan Labs by making a suggestion in the repository of this project
Other example of this account trying to colaborate in MyneTEC a Social Media Mining Company
Other example of this account actively trying to engage is in FOSSASIA (Open Technologies developed in Asia and Around the Globe)
Additionally, it is evident that the account “0xexp-p” makes several contributions to this repository called: soroban-versioning
It seems that this person was hired by tupui to develop some of his projects, according to the interactions in these repositories:
This repository is owned by Pamphile Roy — https://github.com/tupui
According to their LinkedIn profile, their name is Pamphile Roy, and he is a Senior Software Engineer at Bitpanda
The full extent of the activity from this 0xexp-p account remains unclear, but it is evident that the activity is primarily focused on Web3 projects. In this particular case, the account seems to be targeting a developer from this exchange, suggesting that they may be interested in gaining access to this individual or the get financial compansated by their work.
This interaction could potentially have long-term consequences, especially considering that their activity might remain dormant for months or years, either with financial motives or, in the worst-case scenario, aiming to gain access to these projects-companies.
We have seen cases where the developer’s environment can be compromised, so there is a high risk that an exchange of infected files can trigger several negative aspects at the security level for the company where he works.
Case 2: Suspicious account participating in a DAO
Target: ProductShare DAO — https://x.com/iproductshare
This case is related to two accounts that were previously mentioned in this part of the investigation. In the profile of https://github.com/kindsecret, there is a repository named rust-HackerRank
In this repository, the GitHub account “Toptalhook” contributes
Similarly, we see this same account interacting with 0xexp-p o
This profile had also been mentioned earlier due to its suspicious activity
Therefore, toptalhook interacts with https://github.com/0xExp-po and https://github.com/kindsecret. Given this connection between these accounts, we will now analyze the toptalhook profile:
In their repositories, there is a CV with the following identity:
Kai De Tan — toptall.cook@gmail.com
Additionally, this other style of CV with the same identity is found:
However, this account is also using another CV where it identifies as Julio Acin from Spain.
When searching on GitHub for the email address used in this CV, noahsflood908@gmail.com, we found an account that uses this same email, as shown here:
The account using this same email as its personal identity is called “Sweetdream.” This account also links to a LinkedIn profile under the name Hiroto Iwaki, located in Japan
This account also uses the same identity of “Julio Acin” in its portfolio
Within their GitHub profile, there is a repository named “Automation-Bot,” where multiple CVs of other identities used by this account can be found:
It is highly likely that the account using the name “Julio Acin” is being utilized on UpWork, as there are some details associated with this account found in this repository:
An additional detail is that their LinkedIn profile, “mymiracle0118,” also seems to show a strong intention of seeking employment.
On their LinkedIn, their activity in ProductShare DAO is referenced
ProductShare it is developing products in blockchain as they stated:
ProductShare DAO is composed of various people and projects, and they also play a role as stakeholders
According to this DAO, there are different categories regarding who makes it up:
Considering this composition, we see that Hiroto Iwaki is listed as a co-creator and holds 500,000 stake shares
The URL of his personal site, which he uses to identify himself within this DAO, is:
Similarly, it is worth highlighting that other Web3 projects, such as ReFi Tulum, Hedgey Finance, and others, are also part of this DAO. These are significant initiatives where these profiles have managed to make an impact
The activity of this account clearly indicates that it is a fraudulent profile due to the number of different identities it uses. Additionally, as we’ve shown, there are numerous irregularities linked to this account, suggesting the possibility that its involvement in this DAO may have been under a fraudulent identity.
Further evidence of its intent to seek employment can be seen in the following case on Fiverr:
This profile is also listed on a Japanese employment website:
Given the numerous irregularities, there is a significant risk of long-term negative impacts on these projects if an individual with fraudulent identities becomes part of this DAO.
Case 3: Threat Actors Disguised as Developers building TaraSwap
Target: TaraSwap — https://www.taraswap.app/
This case involves an individual from the Taraxa project who, along with an external team, developed TaraSwap. In this instance, we believe Threat Actors Disguised as Developers were involved in building TaraSwap
Some developers behind the TaraSwap project may be related to North Korean threat actors posing as developers
Tracking this account reveals repositories [finalgoal231] that we have previously connected to DPRK threat actors — IT workers.
This profile is actually in the organization we previous found to be hosted by fake profiles simulating a work-job enviroment:
The members of this organization are entirely fabricated and controlled by other members of this same organization
We already have mentioned the presence of this account (Onder Kayabasi) in previous investigations following one account in this organization: https://github.com/Luis96920
The activities of this organization (finalgoal231) and its associated profiles are part of a network of GitHub accounts that seem to be shifting focus from their previous activity of “hiring” to seeking employment, primarily in Web3-related roles.
After analyzing the activity of the profile https://github.com/0x66eth
We are aware of certain accounts within this network of fake profiles claiming to be developers
The account 0x66eth is following 2 github profiles with some interesting activity regarding their commits, behavior, following, personal information, and previous intelligence we gathered
Our focus will be joyfulmagician
His activity appears somewhat inconsistent, with a clear focus on seeking employment opportunities.
Key aspects to highlight include the high number of accounts following him, the accounts he follows, the extended periods of inactivity, and the fact that his only commit aligns directly with the purpose of this investigation
Relation with Taraxa-Taraswap:
Taraxa is a purpose-built, fast & scalable Layer-1 public ledger designed to help democratize reputation by making informal data trustworthy.
Within his ecosystem, there are several projects and upcoming launches with specific dates:
In this launch, taraSwap is our subject of analysis, taking into account certain characteristics of the project, as well as the developers and dynamics surrounding it, which raise suspicions that it may have been developed by DPRK IT workers
Taraswap is the first yield-centric DEX on Taraxa.
It also link to his GitHub repository
The telegram channel of TaraSwap is https://t.me/taraswap
Relation between TaraSwap and Taraxa:
Based on the telegram conversation the taraSwap is not runned by the core team.
Later the admin of the Taraxa project in the Telegram channel confirms this information:
Likewise, Előd Varga seems to be in charge of this team based on the telegram chat conversations in the Taraxa project.
Thus, it was managed by Elrod as a third-party team, but it is not the core team behind the development of this project. They have mentioned this repeatedly in the Taraxa Telegram chat, which seems unusual.
He is also the admin in the TaraSwap channel and the team behind the TaraSwap claim that Előd Varga represents them
The owner of the telegram channel: 0xCore TSWAP
The telegram handle [DevZi1a] match the GitHub account building TaraSwap
The GitHub account responsible for building a significant part of TaraSwap was created on April 12, 2024:
Furthermore, there is little information available about this account beyond its involvement with the taraSwap project, which is unusual for a developer, considering the personal recognition typically associated with such work.
This behavior is abnormal, and it is also strange that the developers have a representative (Előd Varga represents them) and work as a closed team. This raises further suspicions about their reasons for remaining hidden or anonymous.
joyfulmagician and TaraSwap:
As mentioned earlier, the account “joyfulmagician” had previously been reported for suspicious behavior associated with this network of fake accounts posing as developers which seems to be linked with DPRK threat actors, as seen in previous investigations
In this context, the account’s involvement in TaraSwap is observed since july-24–2024:
This means that the account https://github.com/joyfulmagician has made multiple commits to the taraSwap repository, establishing them as a developer of the project.
TaraSwap and Előd Varga
Many conversations on Telegram suggest that Előd Varga is familiar with the development team and maintains contact with them. However, the development team remains invisible for reasons that seem odd
We noticed some GitHub accounts that we had previously investigated, which are part of a network of “fake developers” linked to DPRK threat actors.
Among Előd Varga’s followers are accounts that have been extensively investigated for being part of a network of fake accounts used to gain access to various projects and jobs, allowing them to be compensated as developers
Much of the activity of these accounts [https://github.com/AI0228] & [https://github.com/warmice71] has been linked to generating engagement and following numerous accounts that exhibit specific patterns, behaviors, creation dates, activity levels, and other aspects under analysis.
The connection becomes more significant when they’re followed by a suspicious user, such as AI0228 or warmice71, who doesn’t rely on an autofollowback bot or similar automated tools.
Similarly, it is worth highlighting a notable aspect of Előd Varga’s GitHub profile: some of his repositories related to “talent search.” This repository contain keywords commonly used by accounts linked to North Korean threat actors to describe themselves in their GitHub bios.
While these accounts massively follow others on GitHub, it has been observed that these same suspicious accounts also follow their targets.
Contacted TaraSwap team:
After uncovering these irregularities, we decided to contact the TaraSwap team, led by Előd Varga, regarding this profile. He stated, “This person was a freelancer the TaraSwap team used, but that’s done”. Likewise, Előd Varga acknowledged that the team was hired through third parties and confirmed that, after a thorough review, the contributed code was safe.
Issues in TaraSwap:
Since January 10, several users have raised questions regarding the amount of tokens in circulation
This suspicious activity was creating FUD, which led the team to issue a statement explaining what had happened. The statement explains that the attacker had exploited a ‘vulnerability in our [Staker Module]’:
This attack allowed the attacker to drain at least 4.5 TSWAP tokens and sell them, which negatively impacted the token’s price. The statement also outlines the next steps following the exploit. Although the attack was on a smaller scale with minimal impact, projects like these can be easily exploited if we they don’t know who is behind their development.
Considering these details, we found that a significant portion of this project was built by this ‘unknown developer,’ who is linked to the accounts we monitor associated with DPRK IT workers focused on Web3 activity.
In this case, while there was a ‘small’ exploit, there is a high likelihood that these developers may seek financial compensation by working for third parties. If the opportunity arises, they will likely aim for greater economic gains, potentially exploiting the projects they work on or targeting others they see as viable.
Based on the evidence presented, there are several concerns regarding the developers of this project and their possible identities. A particularly noteworthy aspect is the involvement of accounts such as ‘AI0228’ and ‘warmice71,’ which have been clearly identified as engaging in fraudulent activities on GitHub, including the use of fake profiles to pose as developers and secure work under false identities.
Case 4: GitHub Accounts interacting with the Stellar Foundation repositories
Target: Stellar Foundation
An interesting aspect when analyzing the activity of several of these accounts is their expressed interest in various Stellar Foundation repositories. This can be seen in the following examples, where a series of accounts with numerous irregularities in their profiles attempt to contribute to several repositories.
Example 1:
The following example highlights the intentions of this account, which we had mentioned earlier dev0614
They attempt to develop this commit in the Stellar repository called “laboratory”:
Similarly, this account has also attempted to contribute to other projects. The following links provide several examples:
https://github.com/lira-dao/ecosystem/pull/47
https://github.com/Taraxa-project/bridge/issues/20
https://github.com/orgs/yfosp/discussions/372
https://github.com/ethglobal/nextjs-wagmi-viem-starter/discussions/2
https://github.com/mgguild/ai-games/issues/79
https://github.com/Taraxa-project/bridge/issues/20
Example 2:
Another example is the account Oyase-shinobi
Another example is the account, which on several occasions has attempted to contribute to Stellar Foundation projects
The links where this account attempts to contribute are provided below
Issues:
stellar/stellar-disbursement-platform-backend#348
stellar/stellar-disbursement-platform-backend#102
stellar/stellar-disbursement-platform-backend#410
This same account also attempts to contribute to other projects.:
Other projects where this account contributes
- https://github.com/akash-network/console/issues/354
- https://github.com/lira-dao/ecosystem/issues/56
- https://github.com/junobuild/create-juno/issues/39
- https://github.com/paritytech/polkadot-sdk/issues/5754
- https://github.com/SpaceXpanse/rod-rpc-explorer/issues/3
Potential Link Between Suspicious GitHub Accounts and the “SuperStar” Naming Pattern
A key observation in the suspicious GitHub activity is the repeated use of the nicknames “Super” and “Star” in GitHub handles, email addresses, and even bios. Palo Alto’s Indicators of Compromise (IOCs) also reveal this combination in email addresses. Additionally, screenshots from these accounts suggest a personal connection to the term “SuperStar,” making it a fitting name for this cluster of accounts linked to the WageMole campaign
Suspicious Activity on GitHub Linked to Certain Accounts
Suspicious activity on GitHub has been observed, particularly with accounts that share specific characteristics previously identified in our investigations. These characteristics include profile appearance, personal description, GitHub handles, and even profile images. These accounts exhibit certain behavioral patterns, interacting with organizations in similar ways and within the same timeframe once these accounts are created. However, it is important to note that not all suspicious accounts engage in this type of activity.
Adaptive Behavior and “Open Source Contributor” Profiles
One interesting aspect is how these accounts adapt based on ongoing trends. Several suspicious accounts have added “Open Source Contributor” to their BIOS, which allows them to collaborate on repositories across different projects and blend in with the GitHub and Web3 communities.
Patterns and Coordination Across Accounts
Curiously, some email addresses flagged by Palo Alto are strikingly similar to the GitHub handles we’ve already monitored as suspicious, linking them to this campaign. There are multiple accounts interacting with older repositories to create a façade of credibility. However, the mass and coordinated nature of their commits reveals similar patterns, and the same accounts, with their distinctive profile images and GitHub handles, are repeatedly involved.
Use of Older Accounts to Gain Credibility
We’ve observed that some accounts have opted to use older profiles in an effort to gain more credibility and access collaboration opportunities or jobs. It appears that one account may be coordinating thousands of fake, stolen, or automatically generated profiles, as they share similarities with each other, and all are followed by just one account.
Repetitive Comments and Self-Promotion
A notable aspect is the repetitive comments these accounts make when trying to collaborate on different projects. Their interest spans a wide range of projects, showcasing various skills. A clear pattern emerges as these accounts follow one another and even star each other’s repositories, reinforcing their fabricated portfolios.
Examples of Fraudulent Commit Attempts
There have been instances where accounts successfully made commits in projects. Our investigation, followed by confirmation from the project, revealed suspicious activity with these GitHub accounts.
Infiltration of ProductShare DAO
The account participating in ProductShare DAO has managed to infiltrate more closed spaces within the DAO. However, this information has not been shared with the team.
TaraSwap Issues and Suspicious Developers
The individual responsible for TaraSwap has faced multiple issues in developing the project. Following the exploit, many aspects of the project ceased to function, and the community has lost trust in it. Additionally, Elod, the person in charge of TaraSwap, acknowledged not knowing this individual, who was hired by a third party.
Focus on Stellar Foundation and Other Projects
A number of accounts appear to target Stellar Foundation, as evidenced by the multiple suspicious accounts attempting to contribute to several of its repositories. Many of these accounts, recently participating in recruitment processes or seeking collaboration in projects, list Japan as their location in their portfolios. They also face difficulties in communication and interviews, which have been highlighted in previous investigations.
Cluster of Suspicious Accounts and Web3 Projects
A cluster of accounts has been attempting to contribute to other projects. Many of their PRs and commits remain open, and in some cases, these commits have been merged without verifying the identities behind them. In other projects, their contributions are ignored. Generally, these collaborations are accepted as “non-offensive,” but the true intentions behind these “collaborations” are unclear. Their focus on Web3 projects suggests that their ultimate goal may be financial gain.
williamduncan91413@gmail.com
forever.xfactor@gmail.com
rainstorm.exp@gmail.com
toptall.cook@gmail.com
noahsflood908@gmail.com
yamamotozunki0815@gmail.com
shimamuratakehiko44@gmail.com
takutic.tech518@gmail.com
https://github.com/asseph
https://github.com/thuongtruong1009
https://github.com/Benjamin-cup
https://github.com/Cardoso-topdev
https://github.com/camillakathy
https://github.com/erikerik116
https://github.com/Kavorix
https://github.com/Phoenix-Genius
https://github.com/phoenix19950512
https://github.com/smilephoenix103
https://github.com/toptalhook
https://github.com/uniwaydev
https://github.com/creative2113
https://github.com/SacredDever
https://github.com/SacredDevKing
https://github.com/GoldenDev176743
https://github.com/dragonsea0927
https://github.com/felipedev418
https://github.com/techietrend
https://github.com/popstar7
https://github.com/Oyase-shinob
https://github.com/dev0614
https://github.com/shinevue
https://github.com/fairsky0201
https://github.com/Tru3Bliss
https://github.com/talentDA0218
https://github.com/BitFancy
https://github.com/duskodev
https://github.com/Chain-Reactor
https://github.com/motokimasuo
https://github.com/vuedev2113
https://github.com/devstar829
https://github.com/BlackStar816
https://github.com/0xp3p3x0
https://github.com/thinkingdev9
https://github.com/Benjamin-cup
https://github.com/LuckyBear0302
https://github.com/happysmile007
https://github.com/superdev947
https://github.com/ITstar726
https://github.com/MegaDev007
https://github.com/GoldenDragon0830
https://github.com/super622
https://github.com/dragonsea0927
https://github.com/honey0130
https://github.com/popstar7
https://github.com/forward012
https://github.com/futurestar425
https://github.com/SacredDever
https://github.com/super9157
https://github.com/dynamic612
https://github.com/Luis96920
https://github.com/CodeMaster1025
https://github.com/bluedream74
https://github.com/shinevue
https://github.com/montedev0516
https://github.com/felipedev418
https://github.com/billy9821
https://github.com/Lucky9596
https://github.com/smartdev5050
https://github.com/rainbowdev1359
https://github.com/techietrend
https://github.com/fairsky0201
https://github.com/aybanda
https://github.com/livedeveloper823
https://github.com/Oyase-shinobi
https://github.com/lucaslee129
https://github.com/BTC415
https://github.com/tothetop430
https://github.com/daniellowe1027
https://github.com/golden-lucky-monkey
https://github.com/RealDiligentDev
https://github.com/cedev935
https://github.com/ptc-bink
https://github.com/dev7tech
https://github.com/zhen1007
https://github.com/agiledev0115
https://github.com/smartdev914
https://github.com/silver-coding-blockchain
https://github.com/ironcg20
https://github.com/Elite314Dev
https://github.com/OnlyForward0613
https://github.com/hi-tech-AI
https://github.com/wizard0918
https://github.com/DreamBoy65
https://github.com/talentDev10
https://github.com/toptalhook
https://github.com/mymiracle0118
https://github.com/enthusiastdev121
https://github.com/cedev935
https://github.com/shiny0110
https://github.com/supersenior017
https://github.com/sagadev2015
https://github.com/SuperDev314
https://github.com/smartman0307
https://github.com/coolidev
https://github.com/dev-captain
https://github.com/superdev0826
https://github.com/ToptenDev
https://github.com/SuperHeroDev
https://github.com/wizasol
https://github.com/tp1845
https://github.com/super101217
https://github.com/ProspDev
https://github.com/Tyrese-FullStackGenius
https://github.com/dev0614
https://github.com/lucky0612
https://github.com/beaubeas
https://github.com/futurestar425
https://github.com/cryptovecom
https://github.com/profreelancer222
https://github.com/phoenix19950512
https://github.com/SeniorDev0830
https://github.com/livedeveloper823
https://github.com/superman0052
https://github.com/smartdev5050
https://github.com/rainbowdev1359
https://github.com/RandomSummer
https://github.com/happydev0126
https://github.com/MasterDev333
https://github.com/CryptoNinja0331
https://github.com/devincredible
https://github.com/warmice71
https://github.com/kallis312
https://github.com/ninjadevtrack
https://github.com/wizard0918
https://github.com/luckwings
https://github.com/top-web-talent
https://github.com/talentDA0218
https://github.com/SmartCodiDev
https://github.com/deepakcode21
https://github.com/fireman03151
https://github.com/thinkingdev9
https://github.com/LuckyBear0302
https://github.com/rustsol114
https://github.com/super622
https://github.com/Gentlemen726
https://github.com/CodeMaster1025
https://github.com/lucaslee129
https://github.com/DreamBoy65
https://github.com/0xbear9999
https://github.com/top-web-talent
https://github.com/ProspDev
https://github.com/codemaster05330
https://github.com/sagadev2015
https://github.com/smartman0307
https://github.com/luckyboy125
https://github.com/Devstar1818
https://github.com/supercomet329
https://github.com/golden-hero
https://github.com/ericbrown2716
https://github.com/peterjohnson4987
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/coopfeathy
https://github.com/holyblock
https://github.com/cedev935
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201 [Superstar]
https://github.com/bernssolg
https://github.com/erinodev
https://github.com/supercrytoking
https://github.com/johnfrench3
https://github.com/dreamcoder75
https://github.com/TechSolutionNinja
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/chivalrousdev
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/renawolford6
https://github.com/coopfeathy
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/hussammousa68
https://github.com/zeus-soft-world
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/peterjohnson4987
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/renawolford6
https://github.com/coopfeathy
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/xbucks
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/hussammousa68
https://github.com/zeus-soft-world
https://github.com/chivalrousdev
https://github.com/erinodev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/johnfrench3
https://github.com/ericbrown2716
https://github.com/renawolford6
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/xbucks
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/EugeneYoona
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/Linda423
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/genie4viz
https://github.com/chivalrousdev
https://github.com/petardev101
https://github.com/supercrytoking
https://github.com/kevindavies8
https://github.com/johnfrench3
https://github.com/renawolford6
https://github.com/Yoshidayoshi23
https://github.com/dreamcoder75
https://github.com/holyblock
https://github.com/AIDevMonster
https://github.com/whiteghostDev
https://github.com/cedev935
https://github.com/aleksandaralek
https://github.com/joyfulmagician
https://github.com/KonohaBrain125
https://github.com/TOP-10-DEV
https://github.com/secretsuperstar1109
https://github.com/champion119
https://github.com/aidev-Jesse
https://github.com/fairskyDev0201
https://github.com/TechSolutionNinja
https://github.com/alisenola
https://github.com/LegendaryDev320
https://github.com/kaleb0402
https://github.com/tosky19941209
https://github.com/touchsky941209
https://github.com/mirdavion
https://github.com/codingzeus1218999
https://github.com/joyfulmagician
https://github.com/sphinxDevVic
https://github.com/SmartDev555
https://github.com/crypto-artisan
https://github.com/Watcher919
https://github.com/operkins
https://github.com/KimBrown
https://github.com/JenniferYoung
https://github.com/christian48
https://github.com/keith16
https://github.com/Clarkwendy
https://github.com/sandovalandrew
https://github.com/coreygonzales
https://github.com/christian48
https://github.com/kwells
https://github.com/Brian35
https://github.com/Gavin50
https://github.com/jay39
https://github.com/christiancampos
https://github.com/JesusMorgan
https://github.com/dnichols
https://github.com/mirandacraig
https://github.com/Kristen36
https://github.com/lmorris
https://github.com/michaelascott
https://github.com/Annette71
https://github.com/bonnie77
https://github.com/Leonard48
https://github.com/elizabethwagner
https://github.com/samanthabailey
https://github.com/Colleen41
https://github.com/brian91
https://github.com/brianroberts
https://github.com/james10
https://github.com/groberts
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/jessicasmall
https://github.com/Tiffany90
https://github.com/gabriel56
https://github.com/NicholasWarner
https://github.com/Christina70
https://github.com/vanessa56
https://github.com/hyang
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/Carl92
https://github.com/randysnyder
https://github.com/thomasparker
https://github.com/ashleykelsey
https://github.com/KaneGregory
https://github.com/SIMONDAVID
https://github.com/lreyes
https://github.com/eric39
https://github.com/vhenry
https://github.com/Mark33
https://github.com/realhardworkingdeveloper
https://github.com/kallis312
e.g Accounts following suspicious profile: https://github.com/Sayonara01https://github.com/operkins
https://github.com/KimBrown
https://github.com/JenniferYoung
https://github.com/christian48
https://github.com/keith16
https://github.com/Clarkwendy
https://github.com/sandovalandrew
https://github.com/coreygonzales
https://github.com/christian48
https://github.com/kwells
https://github.com/Brian35
https://github.com/Gavin50
https://github.com/jay39
https://github.com/christiancampos
https://github.com/JesusMorgan
https://github.com/dnichols
https://github.com/mirandacraig
https://github.com/Kristen36
https://github.com/lmorris
https://github.com/michaelascott
https://github.com/Annette71
https://github.com/bonnie77
https://github.com/Leonard48
https://github.com/elizabethwagner
https://github.com/samanthabailey
https://github.com/Colleen41
https://github.com/brian91
https://github.com/brianroberts
https://github.com/james10
https://github.com/groberts
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/jessicasmall
https://github.com/Tiffany90
https://github.com/gabriel56
https://github.com/NicholasWarner
https://github.com/Christina70
https://github.com/vanessa56
https://github.com/hyang
https://github.com/jordanmorales
https://github.com/jacksonwilliam
https://github.com/anna26
https://github.com/Carl92
https://github.com/randysnyder
https://github.com/thomasparker
https://github.com/ashleykelsey
https://github.com/KaneGregory
https://github.com/SIMONDAVID
https://github.com/lreyes
https://github.com/eric39
https://github.com/vhenry
https://github.com/Mark33